includes/ProxyTools.php

   1 <?php
   2 /**
   3  * Functions for dealing with proxies
   4  * @package MediaWiki
   5  */
   6
   7 function wfGetForwardedFor() {
   8         if( function_exists( 'apache_request_headers' ) ) {
   9                 // More reliable than $_SERVER due to case and -/_ folding
  10                 $set = apache_request_headers();
  11                 $index = 'X-Forwarded-For';
  12         } else {
  13                 // Subject to spoofing with headers like X_Forwarded_For
  14                 $set = $_SERVER;
  15                 $index = 'HTTP_X_FORWARDED_FOR';
  16         }
  17         if( isset( $set[$index] ) ) {
  18                 return $set[$index];
  19         } else {
  20                 return null;
  21         }
  22 }
  23
  24 /** Work out the IP address based on various globals */
  25 function wfGetIP() {
  26         global $wgSquidServers, $wgSquidServersNoPurge, $wgIP;
  27
  28         # Return cached result
  29         if ( !empty( $wgIP ) ) {
  30                 return $wgIP;
  31         }
  32
  33         /* collect the originating ips */
  34         # Client connecting to this webserver
  35         if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
  36                 $ipchain = array( $_SERVER['REMOTE_ADDR'] );
  37         } else {
  38                 # Running on CLI?
  39                 $ipchain = array( '127.0.0.1' );
  40         }
  41         $ip = $ipchain[0];
  42
  43         # Get list of trusted proxies
  44         # Flipped for quicker access
  45         $trustedProxies = array_flip( array_merge( $wgSquidServers, $wgSquidServersNoPurge ) );
  46         if ( count( $trustedProxies ) ) {
  47                 # Append XFF on to $ipchain
  48                 $forwardedFor = wfGetForwardedFor();
  49                 if ( isset( $forwardedFor ) ) {
  50                         $xff = array_map( 'trim', explode( ',', $forwardedFor ) );
  51                         $xff = array_reverse( $xff );
  52                         $ipchain = array_merge( $ipchain, $xff );
  53                 }
  54                 # Step through XFF list and find the last address in the list which is a trusted server
  55                 # Set $ip to the IP address given by that trusted server, unless the address is not sensible (e.g. private)
  56                 foreach ( $ipchain as $i => $curIP ) {
  57                         if ( array_key_exists( $curIP, $trustedProxies ) ) {
  58                                 if ( isset( $ipchain[$i + 1] ) && IP::isPublic( $ipchain[$i + 1] ) ) {
  59                                         $ip = $ipchain[$i + 1];
  60                                 }
  61                         } else {
  62                                 break;
  63                         }
  64                 }
  65         }
  66
  67         wfDebug( "IP: $ip\n" );
  68         $wgIP = $ip;
  69         return $ip;
  70 }
  71
  72 /**
  73  * Forks processes to scan the originating IP for an open proxy server
  74  * MemCached can be used to skip IPs that have already been scanned
  75  */
  76 function wfProxyCheck() {
  77         global $wgBlockOpenProxies, $wgProxyPorts, $wgProxyScriptPath;
  78         global $wgUseMemCached, $wgMemc, $wgDBname, $wgProxyMemcExpiry;
  79         global $wgProxyKey;
  80
  81         if ( !$wgBlockOpenProxies ) {
  82                 return;
  83         }
  84
  85         $ip = wfGetIP();
  86
  87         # Get MemCached key
  88         $skip = false;
  89         if ( $wgUseMemCached ) {
  90                 $mcKey = "$wgDBname:proxy:ip:$ip";
  91                 $mcValue = $wgMemc->get( $mcKey );
  92                 if ( $mcValue ) {
  93                         $skip = true;
  94                 }
  95         }
  96
  97         # Fork the processes
  98         if ( !$skip ) {
  99                 $title = Title::makeTitle( NS_SPECIAL, 'Blockme' );
 100                 $iphash = md5( $ip . $wgProxyKey );
 101                 $url = $title->getFullURL( 'ip='.$iphash );
 102
 103                 foreach ( $wgProxyPorts as $port ) {
 104                         $params = implode( ' ', array(
 105                                                 escapeshellarg( $wgProxyScriptPath ),
 106                                                 escapeshellarg( $ip ),
 107                                                 escapeshellarg( $port ),
 108                                                 escapeshellarg( $url )
 109                                                 ));
 110                         exec( "php $params &>/dev/null &" );
 111                 }
 112                 # Set MemCached key
 113                 if ( $wgUseMemCached ) {
 114                         $wgMemc->set( $mcKey, 1, $wgProxyMemcExpiry );
 115                 }
 116         }
 117 }
 118
 119 /**
 120  * Convert a network specification in CIDR notation to an integer network and a number of bits
 121  */
 122 function wfParseCIDR( $range ) {
 123         return IP::parseCIDR( $range );
 124 }
 125
 126 /**
 127  * Check if an IP address is in the local proxy list
 128  */
 129 function wfIsLocallyBlockedProxy( $ip ) {
 130         global $wgProxyList;
 131         $fname = 'wfIsLocallyBlockedProxy';
 132
 133         if ( !$wgProxyList ) {
 134                 return false;
 135         }
 136         wfProfileIn( $fname );
 137
 138         if ( !is_array( $wgProxyList ) ) {
 139                 # Load from the specified file
 140                 $wgProxyList = array_map( 'trim', file( $wgProxyList ) );
 141         }
 142
 143         if ( !is_array( $wgProxyList ) ) {
 144                 $ret = false;
 145         } elseif ( array_search( $ip, $wgProxyList ) !== false ) {
 146                 $ret = true;
 147         } elseif ( array_key_exists( $ip, $wgProxyList ) ) {
 148                 # Old-style flipped proxy list
 149                 $ret = true;
 150         } else {
 151                 $ret = false;
 152         }
 153         wfProfileOut( $fname );
 154         return $ret;
 155 }
 156
 157
 158
 159
 160 ?>